Control Self-Assessment (CSA) is a technique originally developed by Gulf Canada in 1987. In March 2000, the European Commission adopted a White Paper on CSA. In the United States, when the Sarbanes-Oxley Act was implemented in 2007, Section 404 of the Act required companies to conduct a top-down risk assessment that required CSA. In the UK, the Financial Services Authority (now the Financial Conduct Authority) recognized in its 2011 recommendations to improve operational risk management that the assessment of risks through an audit self-assessment can be an important means of identifying risks. Today, a wide variety of entities, including private sector companies, voluntary sector (charities) and public sector entities, use CSA to assess the effectiveness of their risk management and control processes.
The Institute of Internal Auditors organizes courses, seminars and offers Certification in Control Self-Assessment (CCSA).
The Information Systems Audit and Control Association (ISACA) has created a framework called COBIT (Control Objectives for Information and Related Technology). Control Self-evaluation is part of COBIT’s Control Objective ME2.4.
What is self-assessment of control?
CSA is a management technique that can be used to assure key stakeholders, both internal and external, that a company’s internal control system is reliable. CSA enables managers and work teams directly involved in the business units, functions or processes to participate in the assessment of the company’s risk management and control processes. CSA can include objectives, risks, controls and processes.
CSA is a sustainable process whereby management validates the operational effectiveness of its internal controls through testing. Every process owner and functional control owner within a company conducts effectiveness testing to verify that key controls are working effectively.
Each process owner develops test scripts for each key check and involves their team to perform the given tests throughout the year. This allows management to verify that these controls are working effectively. A CSA program extends the role of operational management from just reviewing the design of its internal controls to testing and validating the effectiveness of its internal controls throughout the year.
Benefits of a CSA Program
An effective CSA program can bring a number of benefits, including:
• Create a clear accountability line for internal controls;
• Minimizing the risk of fraud;
• Creating an improved control environment resulting in a lower risk profile for the company;
• Sustainability of management’s compliance program;
• Reducing regulatory compliance costs
The first step in any CSA program is to document the company’s control processes with the aim of identifying appropriate ways to measure or test each control. The actual testing of controls is performed by employees whose day-to-day roles are within the area of the company being evaluated, as they have the most knowledge of how the processes work. The usual techniques for conducting the assessments are:
• Internal Audit Questionnaire (ICQ) or tailor-made survey questionnaires
• Interview techniques
• Control Model Workshops or Interactive Workshops
Some companies choose a combination of methodologies appropriate to their operations to implement an effective CSA program. Upon completion of the assessment, each control can be assessed based on the responses received to determine the likelihood of failure and the impact of failure. These assessments can be summarized to produce a risk matrix representing potentially sensitive areas.
In any CSA program, the main steps are to define the nature and scope of the company’s CSA program, roll out the program, conduct the initial round of testing and assessment, and then incorporate the lessons learned before process is being repeated again.
Entities have different drivers for wanting to improve the environment of internal controls, e.g. legal requirements, change of ownership, change in senior management, implementation of a large ERP system or simply want stronger internal controls to improve efficiency. Whatever the driver, implementing a CSA program should be considered. By implementing an effective CSA program, the entity can embed internal control accountability deep into the business, ensure the sustainability of internal controls compliance efforts, and ultimately reduce the costs of overall compliance efforts. In other words, an effective CSA program will encourage a much-improved internal control environment, assuring all key stakeholders, both internal and external, that the company’s controls are working effectively.